A recent Canvas data breach saw data from more than 275-million people in about 9 000 schools and universities around the world compromised – and it might still be leaked.
ShinyHunters, the hacking group that claimed responsibility for the Instructure data breach, shared a ransom letter giving a deadline of 3 May for a ransom to be paid.
Now, the group has extended that deadline to 12 May.
The hacking group claims to have access several billion private messages among students and teachers and students, many containing personal conversations. It says the institution’s Salesforce instance was also breached, with other data also potentially compromised.
Instructure says the unauthorised actor carried out activities by exploiting an issue related to its Free-For-Teacher accounts. It has shut down these accounts, which are a core part of its platform, while it works to resolve the issues.
“In the meantime, Canvas is fully back online and available for use,” the company says.
It has also revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across its platforms.
“Beyond the immediate response, we’re hardening administrative access, token management, permissions, monitoring, and related workflows.”
Instructure has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
Brandon Blankenship, chief information security officer at ProCircular, has been monitoring the case.
“The Canvas breach is a reminder that shared infrastructure risk is institutional risk. When a platform serving 41% of North American higher education is compromised, every tenant becomes a potential extortion target, regardless of their own security posture. We saw this play out after the PowerSchool incident in 2024, and we expect the same pattern here.
“This moment calls for institutions to stop treating third-party SaaS platforms as someone else’s problem. Credential rotation at the vendor level does not eliminate persistence mechanisms inside your own tenant, and a ransom payment has never guaranteed data deletion.
“The path forward is proactive auditing, pre-established incident response protocols, and a firm organizational stance against negotiation before a threat ever arrives, Blankenship adds.